CIPPIC calls for public registry of data breaches

From CIPPIC.

CIPPIC calls for Public Registry of Data Breaches and Limits to Online Collection of Kids’ Data

Responding to a federal government consultation on reform of data protection law, the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) is calling for the establishment of a centralized, electronic registry of corporate data breaches that would be publicly-accessible. CIPPIC is a legal clinic based at the University of Ottawa, Faculty of Law.

Last year, a Parliamentary Committee recommended that the law be amended to include a new requirement for corporations to notify individuals of security breaches that exposed their personal information to potential misuse. The federal government has since indicated its intention to act on this recommendation. In its January 15th submission, CIPPIC supports the proposal for mandatory individual notification, but argues that a mandatory reporting to a public registry of data breaches is a more effective way of encouraging corporations to take stronger security measures in the first place.

“If organizations perceive a real risk bad publicity in the event of a security breach, they are much more likely to invest in effective security up front”, says Philippa Lawson, Director of CIPPIC. “Notifying individuals whose data has been compromised, while essential for harm mitigation purposes, is a very indirect and unreliable way of notifying the media. A much better way is to require that data breaches be recorded in a public registry, for review by anyone including journalists, consumers, and regulators.”

CIPPIC’s submission (PDF) also addresses the issue of children’s privacy, calling for a prohibition on the use of kids’ data for marketing purposes. “The explosion of commercial websites targeting children in recent years is of great concern”, said Lawson, “especially since our data protection laws apply the same rules to kids’ information as they do to adults’ information. It’s time that we set clear limits on the gathering and use of kids’ data for commercial purposes. We need absolute limits, not rules based on some fictional idea of consent, which exploits the credulity of children and is rarely meaningful in the commercial context even when applied to adults.”

Finally, CIPPIC calls for law reform to address “PIPEDA’s woefully inadequate redress and enforcement regime”. Referring to its 2006 study that showed widespread non-compliance with data protection legislation, CIPPIC notes that the law needs more teeth if it is to cause corporations to change their practices. CIPPIC’s proposals include providing for class actions and punitive damages for violations of PIPEDA.